OAV Request For Comment OAV-RFC 0-001
by Howard Fuhs
Last changed: 06.06.2002
OAV-ICVAT changed into OAV-VAT
New rule #8 adedd
Some minor sentences deleted
Document maintainer: Howard Fuhs
Send all suggested changes for OAV-RFC 0-001 to:
hfuhs at openantivirus dot org
OAV Virus Analysis Team (OAV-VAT)
As it is the task of the Open Anti Virus Project to provide solutions
against computer viruses and malware to the computer users the
foundation members of the OAV project are facing the ethical and
practical problem of how to handle samples of viruses and malware
within their project.
To comply with their tasks it is neccessary to distribute virus and
malware samples within the OAV project to different
developers/persons. On the other hand everything possible must be
done by the OAV members to prevent that some might come to the
conclusion that OAV is just another public virus exchange board open
to everyone who wants malware.
Regarding the given facts and the problems which arise from them it is
inevitable to limit the access to the OAV Malware Sample Base (OAV-
MSB) to the absolute neccessary amount of people on the need to
As it is in most situations of life, granting access to the OAV Malware
Sample Base (OAV-MSB) is a matter of personal trust between the
active members of the OAV Virus Analysis Team (OAV-VAT) and the
person who is applying for access to the OAV Malware Sample Base
(OAV-MSB) and therfore automatically applying for OAV Virus Analysis
Team (OAV-VAT) membership.
Moreover it is neccessary to set up certain rules under which access to
the OAV Malware Sample Base (OAV-MSB) is granted.
1. Every person is entitled to apply for OAV Virus Analysis Team (OAV-
2. As the membership to the OAV Virus Analysis Team (OAV-VAT) is a
personal membership no company can apply for membership.
3. The candidate has to apply with a CV (curriculum vitae), a
description of his doings and professional backgrounds regarding data
security and give good reasons why OAV should grant access to the
OAV Malware Sample Base (OAV-MSB).
4. The candidate has to meet at least 50% of the OAV Virus Analysis
Team (OAV-VAT) personally for discussions about his background and
his reasons to join the OAV Virus Analysis Team (OAV-VAT). During
the personal meeting the candidate has to provide a valid and signed
PGP-Key to the members of the OAV Virus Analysis Team (OAV-VAT).
PGP keys sent by e-mail will not be accepted.
5. It is the obligation of every candidate to build up professional and
responsible relationships through cooperation with OAV Virus Analysis
Team (OAV-VAT) to proof his trustworthyness. Trust will not
automatically be given - trust must be earned.
6. The members of the OAV Virus Analysis Team (OAV-VAT) will have
a vote on whether to accept the candidate or not.
7. The candidate will only be accepted if ALL members of the OAV
Virus Analysis Team (OAV-VAT) give a positive vote. If one member
does not accept the candidate, the candidate is rejected.
8. An accepted candidate will have six month of probation. During that
time the new member can request specific viruses but will not have
access to the whole OAV Malware Sample Base (OAV-MSB).
9. The rejected candidate will have the opportunity to reapply for
membership after one year. In the mean time it is the obligation of the
future candidate to act according paragraph 5.
It is the obligation of every OAV Virus Analysis Team (OAV-VAT)
member to handle any malware samples responsible and secure. It is
not allowed to OAV Virus Analysis Team (OAV-VAT) members to share
malware samples outside of the OAV Virus Analysis Team.